To assist security teams reviewing infrastructure for log4j vulnerabilities from CVE-2021-44228, Request Tracker (RT) and Request Tracker for Incident Response (RTIR) do not use Java or log4j, so are not impacted. RT also has no required dependencies written in Java, so log4j would not be sourced as part of installing RT or RTIR.
If you have installed additional software to integrate with RT, it’s possible these other software packages might use log4j, so we encourage teams to assess non-RT packages that may need remediation.
We have also assessed our infrastructure for our hosted customers and found we do not run log4j on our hosted servers. We host on AWS, so we are continuing to assess other AWS services we use as part of our hosting infrastructure, and we are monitoring AWS announcements as they provide updates on services. Based on current announcements, services we use for all hosting customers are not impacted.
If you are a Best Practical support customer and you have any additional questions, please feel free to contact support and we will provide additional help and details.